In recent years, it has become increasingly difficult to detect malicious activity carried on networks. The sophistication of intrusions has increased substantially, as entities with greater resources, such as organized crime and state actors, have directed resources towards developing new modes of intrusions.
One fairly harmful type of intrusion pertains to the situation when an outside entity takes control of a host at a given company or organization. When this happens, the host can be controlled and used as a source of attacks against other targets or as a means to exfiltrate data from within the organization. What makes this type of attack difficult to detect is that it can be carried out over time and often is mistaken for “normal” network activity until data about the attack can be analyzed over longer periods of time.
This type of controlled attack may be implemented among criminals in the digital world, where a controlled internal host (e.g. infected computer inside an organization's network) is used in a botnet to carry out attacks on behalf of a bot master or to exfiltrate data from an internal source.
As is evident, there is a need for an approach to effectively and efficiently identify such scenarios where an outside entity uses a relay host to attack networks.